Skip to content

fix: cert generation returns parsed cert with valid Raw field#970

Merged
sinchubhat merged 1 commit into
mainfrom
issue573-deployment
May 18, 2026
Merged

fix: cert generation returns parsed cert with valid Raw field#970
sinchubhat merged 1 commit into
mainfrom
issue573-deployment

Conversation

@sinchubhat
Copy link
Copy Markdown
Contributor

@sinchubhat sinchubhat commented May 13, 2026
edited
Loading

  • Return x509.ParseCertificate(certBytes) instead of &template
  • Persist web server cert files to disk when loading from Vault
  • Propagate saveCertAndKeyToFiles errors

Related to device-management-toolkit/deployment#573

Output:

docker logs device-management-toolkit-console-1
2026/05/15 01:52:20 Migrate: postgres is trying to connect, attempts left: 20
2026/05/15 01:52:21 Migrate: postgres is trying to connect, attempts left: 19
2026/05/15 01:52:22 Migrate: postgres is trying to connect, attempts left: 18
2026/05/15 01:52:23 Migrate: postgres is trying to connect, attempts left: 17
2026/05/15 01:52:24 Migrate: postgres is trying to connect, attempts left: 16
2026/05/15 01:52:25 Migrate: postgres is trying to connect, attempts left: 15
2026/05/15 01:52:26 Migrate: postgres is trying to connect, attempts left: 14
2026/05/15 01:52:27 Migrate: postgres is trying to connect, attempts left: 13
2026/05/15 01:52:28 Migrate: postgres is trying to connect, attempts left: 12
2026/05/15 01:52:29 Migrate: postgres is trying to connect, attempts left: 11
2026/05/15 01:52:31 Migrate: up success
2026/05/15 01:52:31 Connected to secret store at: http://vault:8200
2026/05/15 01:52:31 Could not load root certificate from Vault: secret not found at path: secret/data//certs/root. Checking local files...
2026/05/15 01:52:31 New root certificate generated
2026/05/15 01:52:31 Root certificate stored in Vault
2026/05/15 01:52:31 Could not load web server certificate from Vault: secret not found at path: secret/data//certs/webserver-10.49.76.159. Checking local files...
2026/05/15 01:52:32 New web server certificate generated
2026/05/15 01:52:32 Web server certificate stored in Vault
2026/05/15 01:52:32 Encryption key loaded from environment
{"level":"info","time":"2026-05-15T01:52:32Z","caller":"/app/cmd/app/main.go:76","message":"UI assets not embedded; skipping browser launch"}
{"level":"info","time":"2026-05-15T01:52:32Z","caller":"/app/cmd/app/main.go:34","message":"app - Run - version: DEVELOPMENT"}
{"level":"warn","time":"2026-05-15T01:52:32Z","caller":"/app/internal/controller/httpapi/ui.go:46","message":"Could not read embedded main.js: open ui/main.js: file does not exist"}
{"level":"info","time":"2026-05-15T01:52:32Z","caller":"/app/internal/controller/tcp/cira/tunnel.go:65","message":"CIRA server running on port 4433"}
{"level":"info","time":"2026-05-15T01:52:32Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/15 - 01:52:32 | 200 | 111.324µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"warn","time":"2026-05-15T01:52:33Z","caller":"/app/internal/controller/tcp/cira/tunnel.go:198","message":"Read error for device : remote error: tls: unknown certificate authority"}
{"level":"info","time":"2026-05-15T01:52:45Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/15 - 01:52:45 | 200 | 54.261µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"info","time":"2026-05-15T01:52:57Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/15 - 01:52:57 | 200 | 59.955µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"info","time":"2026-05-15T01:53:09Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/15 - 01:53:09 | 200 | 83.603µs |       127.0.0.1 | GET      \"/healthz\""}

After restart

  • Root certificate loaded from Vault - loaded existing cert instead of regenerating
  • Web server certificate loaded from Vault - same, loaded from Vault
docker restart device-management-toolkit-console-1
device-management-toolkit-console-1
hspe@BA38RNL00653:~/sinchana/test-issue573-deployment/deployment$ docker logs --tail 20 device-management-toolkit-console-1
{"level":"info","time":"2026-05-15T01:54:46Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/15 - 01:54:46 | 200 | 91.266µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"info","time":"2026-05-15T01:54:58Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/15 - 01:54:58 | 200 | 77.439µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"info","time":"2026-05-15T01:55:10Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/15 - 01:55:10 | 200 | 96.707µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"info","time":"2026-05-15T01:55:22Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/15 - 01:55:22 | 200 | 98.858µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"info","time":"2026-05-15T01:55:34Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/15 - 01:55:34 | 200 | 67.999µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"info","time":"2026-05-15T01:55:46Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/15 - 01:55:46 | 200 | 52.753µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"warn","time":"2026-05-15T01:55:55Z","caller":"/app/internal/controller/tcp/cira/tunnel.go:198","message":"Read error for device : remote error: tls: unknown certificate authority"}
{"level":"info","time":"2026-05-15T01:55:58Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/15 - 01:55:58 | 200 | 66.727µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"info","time":"2026-05-15T01:55:59Z","caller":"/app/internal/app/app.go:66","message":"app - Run - signal: terminated"}
2026/05/15 01:56:00 Migrate: no change
2026/05/15 01:56:00 Connected to secret store at: http://vault:8200
2026/05/15 01:56:00 Root certificate loaded from Vault
2026/05/15 01:56:00 Web server certificate loaded from Vault
{"level":"info","time":"2026-05-15T01:56:00Z","caller":"/app/cmd/app/main.go:76","message":"UI assets not embedded; skipping browser launch"}
{"level":"info","time":"2026-05-15T01:56:00Z","caller":"/app/cmd/app/main.go:34","message":"app - Run - version: DEVELOPMENT"}
2026/05/15 01:56:00 Encryption key loaded from environment
{"level":"warn","time":"2026-05-15T01:56:00Z","caller":"/app/internal/controller/httpapi/ui.go:46","message":"Could not read embedded main.js: open ui/main.js: file does not exist"}
{"level":"info","time":"2026-05-15T01:56:00Z","caller":"/app/internal/controller/tcp/cira/tunnel.go:65","message":"CIRA server running on port 4433"}
{"level":"info","time":"2026-05-15T01:56:12Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/15 - 01:56:12 | 200 | 146.643µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"warn","time":"2026-05-15T01:56:18Z","caller":"/app/internal/controller/tcp/cira/tunnel.go:198","message":"Read error for device : remote error: tls: unknown certificate authority"}

@codecov
Copy link
Copy Markdown

codecov Bot commented May 13, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 50.00000% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 41.40%. Comparing base (8bb7d69) to head (86beee0).

Files with missing lines Patch % Lines
internal/certificates/generate.go 50.00% 5 Missing and 3 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #970      +/-   ##
==========================================
+ Coverage   40.81%   41.40%   +0.59%     
==========================================
  Files         134      134              
  Lines       12311    12319       +8     
==========================================
+ Hits         5025     5101      +76     
+ Misses       6763     6672      -91     
- Partials      523      546      +23

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@sinchubhat sinchubhat linked an issue May 13, 2026 that may be closed by this pull request
error with deployment main branch (console) device-management-toolkit/deployment#573
Closed
@sinchubhat sinchubhat force-pushed the issue573-deployment branch 3 times, most recently from 6f02c34 to a1ccb6e Compare May 13, 2026 06:04
Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes certificate handling so generated certificates return parsed DER-backed structures and web server certificates can be restored from Vault for CIRA disk-based usage.

Changes:

  • Returns parsed certificates from root and web server certificate generation.
  • Adds Vault certificate load validation and malformed-cert cleanup path.
  • Adds tests for parsed certificate .Raw content and web server cert persistence.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
internal/certificates/generate.go Updates certificate store field constants, Vault load validation, parsed certificate returns, and disk persistence for web server certs.
internal/certificates/generate_test.go Adds tests covering Vault loading, parsed certificate returns, and disk persistence behavior.

Comment thread internal/certificates/generate.go Outdated
Comment thread internal/certificates/generate.go Outdated
@sinchubhat sinchubhat requested review from nbmaiti and sudhir-intc May 14, 2026 08:32
@sinchubhat sinchubhat marked this pull request as ready for review May 14, 2026 09:09
@madhavilosetty-intel madhavilosetty-intel force-pushed the issue573-deployment branch 2 times, most recently from 3782fce to 162586b Compare May 15, 2026 03:04
@sinchubhat sinchubhat force-pushed the issue573-deployment branch from a7681e6 to f368bb5 Compare May 15, 2026 04:32
@sinchubhat sinchubhat changed the title fix: certificate generation and Vault recovery bugs fix: cert generation returns parsed cert with valid Raw field May 15, 2026
@sinchubhat
fix: cert generation returns parsed cert with valid Raw field
86beee0 
* Return x509.ParseCertificate(certBytes) instead of &template
* Persist web server cert files to disk when loading from Vault
* Propagate saveCertAndKeyToFiles errors

Related to device-management-toolkit/deployment#573
@sinchubhat sinchubhat force-pushed the issue573-deployment branch 2 times, most recently from bb15136 to 86beee0 Compare May 18, 2026 04:04
@sinchubhat sinchubhat merged commit 9d06967 into main May 18, 2026
20 checks passed
@sinchubhat sinchubhat deleted the issue573-deployment branch May 18, 2026 04:09
@RosieAMT
Copy link
Copy Markdown

RosieAMT commented May 18, 2026

🎉 This PR is included in version 1.26.5 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sudhir-intc sudhir-intc sudhir-intc approved these changes

@nbmaiti nbmaiti Awaiting requested review from nbmaiti

@rsdmike rsdmike Awaiting requested review from rsdmike

@madhavilosetty-intel madhavilosetty-intel Awaiting requested review from madhavilosetty-intel

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

error with deployment main branch (console)

4 participants

@sinchubhat @RosieAMT @sudhir-intc